The Minnesota Department of Human Services (DHS) received another report of a phishing attack that resulted to the compromise of an employee’s email account. This security breach transpired on or before March 26, 2018. This breach and two others caused by phishing attacks that compromised email accounts in June and July 2018 exposed 31,800 records.
The breaches were reported in October 2018 and had exposed the protected health information (PHI) of 20,800 Minnesotans. The breach in March 26 had compromised the PHI of 11,000 Minnesotans.
In the March phishing attack, the attacker was able to access the email account of a Direct care and Treatment Administration employee and used it to send emails to co-workers requesting for wire transfers. The suspicious email requests were flagged and upon being reported to Minnesota IT Services (MNIT), the account was secured and there was no wire transfer made.
While the attacker had access to the account, it’s possible that the attacker accessed the PHI that the emails in the account contained. But MNIT did not receive any report that PHI was viewed or duplicated. The PHI contained in the account included names, contact details, birth dates, treatment details, two Social Security numbers and legal histories.
MNIT notified FBI about the breach while the DHS notified credit reporting agencies, the Office of the Legislative Auditor, the media, the state senate and house of representatives on April 9, 2019. All affected individuals also received individual notices
The DHS hired an expert to examine if the email account contained PHI. Because of the quantity of emails, it took until March 21, 2019 to complete the review of the account.
The DHS breach notification letter did not detail the breach at the time of its discovery. Information was only made available by DHS and MNIT on February 15, 2019. Although DHS complied with HIPAA in sending breach notifications to the affected persons within 60 days of discovering the breach, MNIT considerably delayed reporting the breach to DHS.
With the two preceding phishing attacks, affected persons were notified in four months while in the latest phishing attack, affected persons were notified in over a year.
Regarding the security incidents investigated by the senate in October last year prior to announcing the other two phishing attacks, it was reported that state government agencies had 700 security incidents in the last 10 months. This showed that MNIT was just not ready for the cyberattacks and didn’t have the resources to handle them.
MNIT stated at the senate hearing that state government agencies had to deal with over 700 security incidents up to October 2018. The incidents included 150 phishing attacks. State employees receive 22 phishing emails a day on average.
Up to October, 80 cyberattacks, which required manual testing, hit the state government and the credentials of about 240 employees were compromised. According to MNIT CISO Aaron Call, the attacks will continue to increase because the cybercriminals have more funding.
Since the announcement of the latest breach, DHS has implemented further security options to stop more phishing attacks, such as blocking hyperlinks and email attachments in emails received by state employees, revising policies and procedures at DHS and giving further HIPAA training to employees to help them recognize sophisticated cyberattacks.